On 8/05/2014 8:38 p.m., Rafael Akchurin wrote:
> Hi jay,
>
> If I am not mistaken dstdom_regex is matched against the *contents* of HTTP/HTTPS request - it means if first needs to be bumped. So it will never work in your case...
> You need to know not ssl bump traffic before looking into its contents - the only acl that domes to mind is "dst" - i.e. ip address of the remote server. So something like ssl_bump deny your_skype_ip_acl.
>
> But I may be mistaken, hopefully some one on the list will correct me if so.
That is correct on both points regarding to intercepted port 443 traffic.
The browser type ACL only works (sometimes) on the CONNECT requests when
Skype is explicitly configured to use the proxy. In those same requests
it can be used to prevent bumping.
There is possibly a third option if Skype can be explicitly configured
to use the proxy through a special port number. The myportname ACL can
be used to prevent bumping any traffic received in that Squid port. This
avoids having to pre-know all the IPs Skype will use but is likewise
more risky than allowing non-bumped access to a set of whitelisted IPs
as non-Skype applications might also sneak traffic through the port.
Amos
Received on Thu May 08 2014 - 08:50:01 MDT
This archive was generated by hypermail 2.2.0 : Thu May 08 2014 - 12:00:04 MDT